The privacy officer’s changing role in the age of innovation and AI

Key takeaways

The privacy officer’s role has evolved from compliance to being a strategic partner in innovation and governance.
Experts emphasized the need for privacy officers to collaborate closely with departments like IT and cybersecurity.
Ultimately, data privacy is a competitive advantage, essential for sustaining trust and innovation in organizations.

Last month Osler’s Montréal office hosted the firm’s second annual Privacy Conference, organized by the Privacy and Data Management team. The half-day program, followed by a networking lunch, brought together industry experts and in-house counsel to discuss a range of hot topics, including the implementation of amendments introduced by Law 25, emerging litigation trends, artificial intelligence (AI) governance, new technologies and cybersecurity.

One high point was a panel moderated by Eloïse Gratton, partner and Co-Chair of Osler’s national Privacy and Data Management practice, on emerging privacy risks and the changing role of in-house counsel. Three renowned experts shared their experiences

Anthony Hémond, Lawyer – Senior Counsel, Privacy, Air Canada
Jasmine Adhami, Senior Director, Legal Affairs and Privacy Officer, Dollarama
Selina Sforza, Director, Legal Operations, Alimentation Couche-Tard

Their discussion brought forward a shared conclusion: that today’s privacy officer is a strategic player straddling the fields of law, technology and corporate governance.

From compliance to strategy: an evolving role

The panellists emphasized that the privacy officer’s role has changed dramatically. Once viewed as a siloed compliance task, data privacy has become a driver of governance and innovation.

Selina sees this shift translating into much closer day-to-day collaboration with innovation teams. “We work directly with development and innovation teams to build privacy right into the product at the design stage,” she explained. “It’s still compliance, but it’s also — and especially — a tool for responsible innovation.”

This transformation requires more agility in adapting to changing laws. Jasmine pointed out that “it can take months or even years for regulators to catch up with new legislation,” which means organizations have to adjust their strategies in midstream. She sees the privacy officer’s role as being one of adaptation and risk comprehension. “We have to navigate uncertainty while keeping our program coherent.”

Anthony emphasized the technological aspect of data privacy. “The privacy officer has to be an expert in cybersecurity, data governance and, more and more, AI. It’s a hybrid role, dealing in both law and technology.”

These comments point to a radical transformation: the privacy officer is no longer a simple compliance watchdog, but a business partner who helps the organization innovate responsibly.

Making data privacy matter to management

How can we get management to commit fully to data privacy? This core question elicited a rich exchange.

For Jasmine, the key is to “forge direct ties with strategic departments such as projects, innovation and cybersecurity, and be present on risk management and architecture committees.” She also emphasized the importance of staying pragmatic. “Short, targeted messages are much more effective than a long report. For example, an email summarizing a judgment enforceable abroad can spark immediate dialogue and keep privacy issues on management’s agenda.”

In Anthony’s opinion, board members will only become more aware if they are made accountable. “Recent decisions where boards were held liable for cybersecurity incidents have been game changers,” he noted, adding that compliance can even be a competitive advantage. “Some companies in Europe cite their GDPR compliance to show their reliability and to stand out from their less meticulous competitors.”

Selina, who bases her approach on brand value, said that, in her experience, management will pay attention to messages that speak in terms of business risks and opportunities. “Describing the risks and giving concrete examples will often have more impact than expounding on the topic at length,” she explained. “Data privacy is also about sustainability and brand trust.”